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Abstract 

In a fault tolerant control (FTC) system, a parameter varying FTC law is reconfigured based on fault parameters 
estimated by fault detection and isolation (FDI) modules. FDI modules require some time to detect fault occurrences 
in aero-vehicle dynamics. In this paper, an FTC analysis framework is provided to calculate the upper bound of an 
induced-£2 norm of an FTC system with existence of false identification and detection time delay. The upper bound 
is written as a function of a fault detection time and exponential decay rates and has been used to determine which 
FTC law produces less performance degradation (tracking error) due to false identification. The analysis framework 
is applied for an FTC system of a HiMAT (Highly Maneuverable Aircraft Technology) vehicle. 

Index Terms 

fault tolerant control system, linear parameter varying system, HiMAT vehicle. 

I. Introduction 

In the past decades, there has been interest in a fault tolerant control (FTC) system which has the ability to detect 
actuator/sensor faults automatically and to prevent faults from developing into a total system failure. Especially in 
designing a flight control system, an active FTC system has been researched for achieving single aircraft accident 
prevention [1] — [4]. An active FTC system consists of an FTC law, a fault detection and isolation (FDI) module 
and a supervisory system. An FTC law should react to actuator/sensor faults through reconfi guration and an FDI 
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module should detect actuator/sensor fault occurrences. Based on the information provided by an FDI module, a 
supervisory system decides which actuator/sensor is faulty and sends a signal to an FTC law for reconfi guration. 

In general, an active FTC law is designed, based on an open-loop system modeled as a function of fault 
parameters under the assumption that they are immediately identifi ed by an FDI module. Recently, using linear 
matrix inequality (LMI) optimization solutions [2]-[4], an active FTC law is synthesized in the form of a linear 
parameter varying (LPV) system whose dynamics vary as scheduling parameters change. Open-loop dynamics are 
modeled as an LPV system in which scheduling parameters are fault parameters that represent fault occurrences at 
actuators/sensors. An LPV-FTC law designed based on the open-loop system can robustly stabilize a closed-loop 
system and achieve desired performance during a fault occurrence under the assumption that fault parameters are 
measured in real-time. 

Typically, there is always some level of time-delay to detect faults regardless of FDI algorithms such as an 
extended Kalman FDI fi Iter [4] or an LPV-FDI fi Iter in which a fault detection signal is calculated based on 
residual signal [5], During a time-delay interval, an open-loop system is in a faulty condition but the information 
provided by an FDI module implies that the system is in a healthy condition. It is also possible that during a 
time interval an FDI module and a supervisory system may produce false identifi cation on healthy actuator/sensors, 
which may lead the system to be unstable at the moment. 

Since an FDI module and an FTC law are individually designed, without considering the other dynamics [3], 
[4], it is required to analyze a whole FTC system including both an FTC law and an FDI module, before they are 
implemented into a real system. A typical way of analyzing an FTC system is full nonlinear simulation with the pre- 
defi ned command inputs (not all possible command inputs), for possible fault scenarios. After detailed simulations, 
an FTC system may be validated for possible fault scenarios with expensive computational costs. There should 
be an alternative analysis method to detailed simulations to provide a certain criteria related with characteristics 
of an FDI module such as time-delay and possible false identifi cation. In this paper, an FTC analysis framework 
is suggested to describe performance degradation in terms of induced C 2 norm of a system due to possible false 
identifi cation and time delay in fault detection. Its upper bound is calculated by using LMI optimization and can be 
used to determine which FTC law has less worst-case performance degradation due to possible false identifi cation 
and possible time delay without detailed simulations. In this paper, it is demonstrated by applying the FTC analysis 
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framework to a HiMAT FTC system designed in Ref. [4], 

This paper contains the following sections. In section 2, an FTC system analysis problem is stated and an analysis 
methodology is described in section 3. In section 4, a HiMAT FTC system analysis is demonstrated. In section 5, 
this paper is concluded with a brief summary. 


II. Problem Statement 


To describe analysis problems on an FTC system, the general structure of an FTC system is briefly described 
here. As shown in Figure 1, an FTC system consists of an FTC law, an FDI module and a supervisory system 
(logics). When a fault occurs, the FDI module and supervisory system (logics) detect it and generate signals 
for evaluating/reconfi guring the FTC law. The FTC law is designed as an LPV system whose dynamics vary as 
scheduling parameters change [4], [6], [7]. The stability and performance level of a closed-loop system may change 
when a fault occurs, since the FDI model requires some time to detect fault. Hereafter, the required time is called 
detection time for an FDI module. During detection time, open-loop dynamics are in a faulty condition but the 
designed control law is not reconfi gured yet for it. It implies that there exists a moment when the closed-loop 
system is not in the predicted closed-loop dynamics set used in the LPV control synthesis procedure. 

In an FTC analysis framework, a closed-loop system is modeled as functions of fault parameters p(t) £ TV 1 ' 
and estimated fault parameters p(t) £ 7 Z n ‘ by an FDI module and a supervisory system since open-loop dynamics 
P(p) are dependent on actual fault parameters and the control law K (p) must use the estimates. The closed-loop 
system can be written as: 


% = A(P>P)x + B (p,p)d, 


( 1 ) 


e =C(p,p)x + D(p,p)d, 

where states x £ TV 1 *, disturbances d £ TV ld and errors e £ TV le . Note that fault parameters and estimated fault 
parameters are treated as parameters independent of each other in a closed-loop system to capture the dynamic 
variations due to possible false identification. Using a robust LPV control synthesis methodology in Refs. [4], [8] 
a control law K(p) is designed to robustly stabilize open-loop dynamic variations P(p ± S p ) with p satisfying the 
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condition: 

p(t) G S(p, S p ) := {p(t) | || p(t) - p(t) || < S p , 0 < 5 P } (2) 

where 5 P is an estimation error bound. Note that the condition is not valid during the detection time. 

The entire parameter space of a closed-loop system is defi ned as 

V '■= {(/»(*). Pi*)) I Pi*) G Fpi Pi *) G (3) 

where T p and T p are bounded compact sets in R n “ and can be divided into subspaces Vi such that 

m 

V ={jV i :=V 1 UV 2 ---UV m , 

<= i (4) 

0 =ViWj, i ^ j. i G T, j G 2. X:={1,2, ■■■ ,m}. 

For example, let’s defi ne a subspace 71 as T^i := {(p, p) \ p(t) G S(p, <5,,)}. When parameter trajectories (p(t), p(t)) 
stay in Vi , it implies that the closed-loop system should be stable because the controller is designed for that. During 
detection time, the condition (2) is not satisfi ed generally. In that case, parameter subspaces 7T • • • V m can be defi ned 
by a reader based on dynamic changes in the closed-loop system. Without loss of generality, a subspace V m is 
defined as the set of parameter trajectories (p(t), p(t)) when the closed-loop system is locally unstable along the 
trajectories. 

Definition 1 Local stability 

Suppose all matrices A(p, p) at fixed p and p in a subspace Vi are stable. Then the system is called locally stable 
in the subspace Vi. 


To represent dynamic variations of the system in Eq (1) over each parameter subspace, a duration time over 
each subspace is defined as follows [9]: 

Definition 2 Duration time T p; over each parameter subspace : 


T Pi (t a ,t ) = T 0i + f Oi(p(s), p(s))ds, 


fit > t 0 > 0, 


(5) 
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i(p(s),p(s )) = < 


0, (p(s),p(s)) <£Vi. 


i, (p(s),p(s)) G Vi, iei. 


(6) 


A duration time is bounded as 


r 0i < T Pi < T 0i + ai(t — t 0 ) 


(7) 


where 0 < a, < 1 and 0 < T 0i . The constant a* represents a ratio of the duration time in the i-th subspace to the 
total time and T 0i is the duration time for a system to stay in the i-th subspace during the interval [0, t 0 \. Note 

that E!=i a* = 1 and Y.iU T 0i = t 0 . 

Consider the case that the system is assumed to be locally unstable in the rn-th subspace. The constant a, n < 1 
plays an important role in stability analysis used to fi nd an asymptotic stability ratio [9], which is related to stability 
margin of the system. 


III. Analysis Method 


A. Stability analysis 


ml 


Suppose a system in Eq. (1) is locally stable in the set of [J V, and locally unstable in the parameter subspace 


i—1 


'Pm- 


Proposition 1 [9]: Suppose there exists a positive definite matrix P(p) such that 


A T (p, p)P{p) + P(p)A(p, p) + P(p) < -XiP(p), (p, p) G Vi, locally stable 
A T (p, p)P(p) + P(p)A(p, p) + P(p) < nP(p), (p, p) G V m , locally unstable 


( 8 ) 


where 


0 < k, 0 < A* < Ai, i G I — {m}. 


(9) 


The system in Eq. (1) is exponentially stable with a decay rate: 

m— 1 

A = Ai - (Ai — A^)a^ — (Ai + 


( 10 ) 


i = 2 
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under the condition: 


OLjyi OLt 


A min T ttj 


(ID 


where A min = min{Aj}, i el - {m}. 

Proof: Set a Lyapunov function as V = x T (t)P(p)x(t), P(p ) £ Jl n * xn *. Using Eq. (8), the time derivative of 
the Lyapunov function is 


V< < 


-A iV, 


(kV, 


(, P , P) tPi, i e X- {m}, 

(p, p) eP ra . 


( 12 ) 


From Eq. (12), 


V <e Al(t Sfc 2 T Pi) EUs 1 A i T Pi +KTp m y^ o ^ vf > t 0 > 0. 


(13) 


Taking the upper bound of the duration time over each parameter subspace, Eq. (13) is rewritten as: 


V < U(f 0 )e~ to)+J2il=2 1 (^1 — Ai)T oj +(Ai + K)T 0 , 


(14) 


where 


771—1 

A := Ai - (Ai - A i)«i - (Ai + «)a m . (15) 

i= 2 

Without loss of generality, the constant Ai can be set as riiax{A,}. i £ X — {m}. Thus, the term Ai — A* is always 
positive over the parameter subspaces Vi, i £ X — {1, m}. The lower bound of the constant A is 


m— 1 

A > Aj . — Ai ^ ' (Al A rnin)@-i (Al T (16) 

i = 2 

When the condition in Eq. (11) is satisfi ed, it can be easily shown that the system is exponentially stable. ■ 


In the FTC system analysis, the constant at can be interpreted as tolerance of instability during a detection time 
interval. For example, at = 0.1 implies that the closed-loop system can stay in the parameter subspace V m for at 
most 10 % of the total interest time without loss of exponential stability. Given fault tolerant control laws, we can 
analyze stability of the closed-loop system in terms of a constant at value. The stability analysis problem can be 
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formulated into an optimization problem as: 

max at, s.t. Eq.(8). (17) 

K>0,\ rrt i n >0 

The optimization is solved by checking feasibility of the LMI constraints of Eq. (8) using the LMI Toolbox [11] 
and line searching over A, and n values. 


B. Performance analysis 

For a closed-loop system of Eq. (1), an induced-£ 2 norm is defined as: 

sup IMK (18) 

( P ,p)ev,dec 2 ,\\d\\ 2 j! : o ||«||2 

In this paper, the performance level of an FTC system with false identifi cation and detection time delay is calculated 
in terms of the induced-/^ norm as follows: 

Proposition 2: Suppose there exists a positive definite matrix P(p) £ 7?." !tX ” x such that 

A T P + PA + P + XiP PB 7~ 1 C t 

b t p _j - i d t <0, (p, p) G Vt, 

7 - X C 7 - l D -I 

r i (19) 

A T P + PA + P- kP PB 7~ 1 C t 

B t P —I 7 ~ 1 d t < (P> P) e ^ >m ■ 

7 X C -I 

The induced- C 2 norm from d to e of the closed-loop system is no larger than M 7 where 



A = Al - Efc2 1 ( A l “ ~ (^1 + K ) a m ■ (21) 

Under the condition a m < at := . Ami " A > 0. 

(Amin 
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Proof: Set V = x T (t)P(p)x(t). Then using Eq. (19), the time derivative of the Lyapunov function V is 


V < < 


-A i y+||d|| 2 - 7 - 2 ||e|| 2 , (p,p)GVi 
kV + ||d|| 2 -7 _2 ||e|| 2 , (p,p)eV n 


Using Eq. (22), V is rewritten as: 


V(t)<e f ^V(t 0 ) + e^HWd^W 2 - 7 - 2 \\e( S )\\ 2 )d S , 


where 


m— 1 


f(s, t) = - Ai (t - s - ^2 T Pi ( s > t)) - ^2 x i T Pi ( s > t) + KT Pm (s, t). 


i = 2 


i = 2 


Ai 


rOO 

L l|e( 


s )H 2 d S < v{to) 


A 1+ «)T 0m , I p E™2 1 (Ai-A i )T 0i +(A 0 + «)T 0 , 

A + A 


rOO 

J iMwir 


( 22 ) 


(23) 


Since V (t) >0, ft > t 0 > 0, the following inequality is extracted from Eq. (23): 

7 2 ^ e Al ( t ~ s )||e(s)|| 2 ds < e^ to,t ^V(t 0 ) + J e^ s,t ^\\d(s)\\ 2 ds, ft > t 0 > 0. (24) 

Using Eq. (7) and the deft nition of A in Eq. (21), it is derived that 

7 ~ 2 J* e _A i( t_ *)||e(s)|| 2 ds < V(t 0 )e^=i( x 1 ~ Ai ) T °i+( Al + K ) T °™-*(i-i°) 

Integrating both sides of Eq. (25) over the interval \t 0 . oo) leads to 


(25) 


ds. (26) 


Thus, the upper bound M 1 of the induced-/^ norm is 


M 1 = 71 


^gZ)S=2 1 (‘^i — Ai)T Gi +(Ai+«)T Cm ^ 

A 


(27) 
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The constant M 7 represents the upper bound of the worst-case performance level due to false identifi cation and the 
time delay. Thus, the performance analysis problem is formulated into an optimization problem: 


min My, s.t. Eq.(19). 

A;>0,k>0,7>0,P>0 


(28) 


The optimization problem Eq.(28) is solved by line searching over pre-defi ned \ and k ranges and using the 
LMI Toolbox [11]. First, feasible ranges of A , and k are chosen based on few test run results. Second, the minimum 
value of 7 is calculated using the LMI Toolbox [11] at fi xed \ and k values with the constraint Eq. (19). Third, an 
upper bound M 1 is calculated with given time delay values T 0i and steps 2 and 3 are repeated to fi nd the minimum 
value of M 7 over the pre-defi ned \ and k ranges. 


IV. Example 


A. HiMAT FTC System 


The HiMAT FTC system taken from Ref. [4] is briefly described here before applying the analysis framework 
suggested in section 3. The model has two inputs u : elevons S e and canards S c ~, two outputs y: angle of attack a 
in radians and pitch angle 9 in radians; and four states x : velocity V in ft/sec, angle of attack a , pitch rate q in 
rad/sec, and pitch angle 9. The LPV model of the HiMAT vehicle [4] is 



77 0 


0.1 

0 

x = Ax + B 

l 

P 

O 

1 

u + B 

0 

0.1 


(29) 


w = A z, 



0 62 


|^1 1 < 1 , |^2 | < 1 


(30) 


where the detailed elements of the system matrices A , B , and C are in Ref. [4], It is noticed from Eq. (29) that 
faults on the actuators are modeled as control sensitivity variations (a function of fault parameters 77 and 72 ) under 
the assumption that estimation error bound is 0.1. Consider a failure case that one actuator is failed at a time to 
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keep controllability of the open-loop system non-zero. To represent one fault at a time, the scheduling parameter 
of the LPV model is chosen as p such that 


0 < p < 1 : 

: 0 < n < 1, 

T 2 = 1 

Elevon failure 


P= 1 : 

: n = 1, 

7-2 = 1 


(31) 

1 < p < 2 : 

: n = 1, 

0 < r 2 < 1 

Canard failure. 



For the detailed fault models, the reader is referred to Ref. [4], 

The on-line FDI module and FTC control laws are taken from Ref. [4] and are very briefly described here. The 
fault parameters n and ti are estimated by the on-line FDI module designed using a two-stage extended Kalman 
fi Iter [4], [12]. Using the same logics in Eq. (31), the estimated scheduling parameter p is calculated from estimated 
fault parameters f\ and f->- The LPV-FTC laws Ka and Kb are designed using the conventional LPV control 
synthesis [7] and the robust LPV control synthesis [4], respectively. In the conventional LPV synthesis method, it 
is assumed that scheduling parameters are exactly measured. In the robust LPV synthesis method [4] scheduling 
parameters can be estimated within a given estimation error bound. In the control synthesis process, the design 
objective is to reduce pitch angle command tracking error for both controllers. Note that false identifi cation and 
estimate time-delay are not considered in the control synthesis procedure. 

In this example, it will be determined which controller can generate less pitch angle command tracking error due 
to false identification without detailed simulations. In this model, false identification cases can be 1) canard failure 
indicated by the LDI module for actual elevator failure or 2) elevator failure indicated for actual canard failure for 
a short time interval. Here only the fi rst case of false identifi cation is be analyzed because it can severely affect the 
closed-loop dynamics. Note that the closed-loop system is locally unstable for the fi rst case but not for the second 
case. 

To analyze the false identifi cation (p = 2 and p « 0), the parameter set V is divided into three subspaces such 
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as 

~Pi = {(p, P) I P = 2, 0.9 < p < 2}, 

V 2 ={(p,p)\p=2, 0.1 < p < 0.9}, (32) 

V 3 = {(p,p)\p = 2, 0.0<p<0.1}. 

The parameter subspaces are determined based on the dynamic variations of the closed-loop system. More specif- 
ically, the subspace V\ is set because the LPV control law is designed for the predicted closed-loop dynamics in 
the subspace V\ [4]. The subspace 'P -2 is set because the closed-loop system is locally stable but the closed-loop 
dynamics set in the subspace V 2 is not considered in the control synthesis procedure. The subspace V:>, is set for 
the false identification case in which the closed-loop system is locally unstable in P>. 

B. Stability analysis on the HiMAT FTC system 

In this subsection, stability of the HiMAT FTC system is analyzed for the false identifi cation that leads to 
the closed-loop system being locally unstable. The LMI constraints in Eq. (8) are evaluated at grid points p £ 
{0, 0.1, 0.2, ■ ■ • , 2} over the parameter subspaces deft ned in Eq. (32). To solve the optimization problem in Eq. (17), 
the ranges of Ai, A 2 , and k are deft ned as 0.01 < ,\ < 0.1, 0.01 < A 2 < 0.1, and 5 < k < 10, respectively. With 
fixed A 2 , and k values in each range, the feasibility of the LMI constraints is checked with a constant matrix 
P and a parameter dependent matrix P(p) for reducing conservatism in LMI solution [7], respectively. To use a 
parameter dependent matrix P(p). the time derivative p is required to determine P = p 9P gp ■ In this example, the 
basis functions for Pip) and the bound of time derivative p are taken from Ref. [4]. Note that it is still unknown 
how to choose optimal basis functions in LPV control synthesis. 

The calculated at values are 5 x 1 0 for the control K,\ and 8 x 1 0 3 for the control Kb using P or Pip)- 

There is not much difference using between constant V and Pip) in stability analysis results. It is noticed from 
the analysis results that the closed-loop system can be stable if the false identification occurs every 100 sec time 
with duration 0.5 sec. Both controllers have similar effects on closed-loop stability due to the false identifi cation. 
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TABLE I 

Performance analysis results 


constant matrix P 

Controller 

Al 

A2 

K 

7 

K a 

3 x 10~ 3 

1 x 10~ 3 

9.4 

0.42 

K b 

6 x 10~ 4 

1 x 10~ 4 

5.85 

2.14 

parameter dependent P(p) 

Controller 

Ai 

A2 

K 

7 

K a 

6 x 10~ 4 

1 x 10~ 4 

9.4 

0.34 

K b 

6 x 10~ 4 

1 x 10~ 4 

3.7 

0.63 


C. Performance analysis on the HiMAT FTC system 

In this section, the upper bound of the induced-/^ norm from pitch angle command to tracking error of the 
FTC system is calculated due to the false identification. Using line searching over the Al, A 2, and k ranges, the 
analysis results are shown in Table I. Using the analysis results in Table I for each controller, the M 1 variations are 
calculated due to false identifi cation time variations using Eq. (27) and are shown in Figure 2. Note that the 
duration time T 02 is set as 0.2 sec here. Since Ai and A2 are similar values, the time T 02 does not affect much the 
upper bound M 7 . It is observed from Figure 2 that performance analysis results are signifi candy different using a 
constant matrix P and a parameter dependent matrix P(p). Recall that using a parameter dependent matrix P(p) 
can reduce conservatism in results of FMI [7], It is easily noticed from Figure 2 that when a false identification 
time is short (T 03 < 0.22 sec), the M 1 with the I\a control law is less than that with the Kb control law. When 
the time is long (T 03 > 0.22 sec), the M 1 values are vice versa. The analysis results imply that the K \ control 
law leads to less tracking error when T 03 < 0.22 sec and the Kb control law leads to less tracking error when 
T 03 > 0.22 sec. To validate the FTC system performance analysis results, the closed-loop system with a step 
pitch angle command at 1 sec is simulated with assumption of false identifi cation detection time T 03 = 0.1, 0.2, 0.4 
and 0.8 sec for each control law. In each simulation, canards are failed at 1 sec. The tracking error time histories 
are plotted in Figure 3 for each case. Obviously noticeable is that the error norm of ||# — 6 cm d\\2 with the Ka 
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control law is larger than that with the Kb control law at the T 0a = 0.4 and 0.8 sec cases. Also, the error norm 
with the Kb control law is larger than that with the Ka control law at the T 03 = 0.1 and 0.2 sec cases. It shows 
that the parameter dependent analysis results in Figure 2 correspond to the simulation results in Figure 3. 

V. Conclusion 

In this paper, the FTC system analysis problem is formulated into an optimization problem with LMI constraints 
which are evaluated at grid points over the stable/unstable parameter subspaces. From the stability analysis, the 
stability margin of an FTC system can be calculated for possible false identifi cation when a fault occurs. From the 
performance analysis, the upper bound of the induced-/^ norm of the FTC system represents worst-case performance 
during the detection time interval of FDI modules. The upper bound is calculated as a function of the detection 
time interval and exponential decay rates over each parameter subspace. It indicates performance degradation due to 
false identifi cation. The usage of the FTC system analysis is demonstrated via analysis of the FTC HiMAT system. 
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